I have trouble linking my B2C AAD to Azure Analysis Services. Is this even possible? If yes, what's the best way to build it in?
The documentation states "Azure Analysis Services supports Azure AD B2B collaboration" but doesn't mention B2C. Is there a workaround?
It is not listed in the release notes and a number of others have asked about this, so from what I can tell it does not appear to be supported. I have escalated your question to the Microsoft product group and will get back to you as soon as I have a definitive answer.
In the meantime you can make a feature request in User Voice. https://feedback.azure.com/forums/169401-azure-active-directory/category/160596-b2c
Related
I have created a web application using Django and embedded the azure chatbot after publishing it. Once the user logs into the Web App, i would like to transmit login info to the chatbot embedded on the app in order to give customized interactions e.g. "Hello Richard, How may i help you?" etc.. I believe Azure AD SSO is a good option. But couldn't find good resources on how to implement it for my use case.
Is AAD SSO the best option?,
If yes, can anyone please guide me to resources that i can refer to implement it.
If no, please provide some info on what's the most optimal approach for this use case.
Here's the samples for Bot Authentication and Bot Authentication with Azure and MSGraph, as well as the documentation on user auth in bots.
If your users can be authenticated using Azure AD SSO, then yes, it's a good solution.
We have a simple scenario but technologies(or implementation) have made things bit complex -
We have Sitecore as CMS for client's main web site and for business functionality we have Dynamics 365 Portal and we are using Azure AD B2C as identity provider for both.
We have heavily customised B2C custom policy to cater specific requirements.
We are using same custom policy in Sitecore and in Dynamics 365 Portals so sign in individually and works perfect without any issues.
With regards to SSO, we have kept the configuration as OOTB as you can find it here.
Only 1 or 2 user journeys are absolutely perfect as good as seamless journeys. In specific journeys we need user to be logged in both ends to make it work (we can force user to go to sign in page, but it is not required on all the pages).
In order to understand how real and proper SSO should work in Azure AD B2C, I have no idea or experience to relate this process to. so I am looking for guidance and help here.
I found very good information in this about how B2C works in terms of signin and providing tokens process but it bit old question and things have changed a lot since then specifically UI and some of the operations.
Use the following docs when configuring sessions management for a custom policy. Session Behavior section is where you define which SSO behavior. Specifically:
<SingleSignOn Scope="Application" />
If you want your users to get SSO between all applications, then define this value as "Tenant". There are several useful scenarios in creating separation between sessions - such as a company that has multiple brands that do not want to conflict each other. Or a separation of experiences.
Follow the exact format and location to be placed in your policy or you will not get the desired result.
Another concept that is important is the understanding the session provider:
SSO session management has two parts. The first deals with the user's interactions directly with Azure AD B2C and the other deals with the user's interactions with external parties such as Facebook. Azure AD B2C does not override or bypass SSO sessions that might be held by external parties. Rather the route through Azure AD B2C to get to the external party is “remembered”, avoiding the need to reprompt the user to select their social or enterprise identity provider. The ultimate SSO decision remains with the external party.
Session providers are used to define maintain what goes into generating the session when your policy is being executed (inside the Identity Experience Framework). If marked incorrectly, this could lead to undesirable results such as wrong claims being sent, additional MFA prompts, parts of your policy not being maintained when ran or just general errors.
This is for those who are interested in how we achieved this -
Sitecore also does offer OOTB Azure AD B2C configuration however the supplier of Sitecore delivery side decided not to use OOTB configuration approach and hence it caused lot of issues. From what I have read about Sitecore configuration for Azure AD B2C it does work smoothly with B2C with careful configuration.
Work Around: We had to rely on external triggers(e.g. cookie) which will indicate and trigger that a user has signed on either sides and accordingly the sign in process on both side kicks off.
Our organization uses Azure AD and not Microsoft AD DS .
Does OneLogin integrate with Azure active directory as a 'Directory' apart from the traditional on-prem AD DS. Is there any way to use Azure AD as a directory.
There is an Azure AD application in the applications section, can we use it to import users from Azure AD? Seems like it's an SSO app only and does not do user provisioning/syncing!
Out of desperation, I also tried the Azure AD Connect to sync to a dummy on-prem ADDS to Azure AD and then sync this dummy ADDS to OneLogin, but this seems like a very hackish way to do it and has it's own host of problems.
I'm not able to figure out how to contact support; there is no support email mentioned on the website anywhere.
Not similar to Connecting OneLogin to Azure Ad, as I am trying to add Azure Ad as a directory and the aforementioned question is about an error in federation configuration in Office 365 application of OneLogin.
Any help on this would be immensely appreciated! Thanks in advance!
After a conversation with OneLogin support, here's a few ways to achieve this paraphrased:
"We are not able to utilise Azure AD as a classic on-premise directory (such as we might use for AD synchronisation using the OneLogin Active Directory Connector) although customers who pay extra to Microsoft and have enabled LDAP are able to use our "LDAP via SSL" option although this does not allow for any customisation.
We do have plans to deliver some expanded directory offering but there is no release date for this and you can register a vote and add use-case notes for this request using our IDEAS channel. On US based systems you can use the IDEAS button available at the bottom right corner of the administration screen otherwise access https://onelogin.ideas.aha.io, select your tenant and then login. Then look at https://onelogin.ideas.aha.io/ideas/IDEAS-I-1488
If you can generate a CSV list of users in AD then you can import users using a CSV file into OneLogin - still a manual process but you may find this less complex than using the on-premise server - see https://onelogin.service-now.com/kb_view.do?sysparm_article=KB0010529
The "Azure AD application in the applications section" is for going in the other direction and is for using SAML 2.0 with OneLogin as an Identity Provider and is used for Microsoft Azure AD tenancies where there is no Office 365 involved but users need access to other apps installed in Azure AD.
The other mechanism being used is to have Azure AD as a Trusted IdP and then also enable Just-In-Time provisioning. This allows the Azure AD users to authenticate to Microsoft and then have a SAML assertion sent into OneLogin and dynamically create all the required fields that the classic directory synchronisation might have allowed (see https://onelogin.service-now.com/kb_view.do?sysparm_article=KB0011181)"
I decided to try Just-In-Time provisioning, will update if any blockers!
I need to resolve the B2C login in a web application. I'm very new to B2C. The B2C token will contain the user information ? I can set it in the claims all the data that I need?
I must extend it from data from our DB, it is possible, too?
What specific issue are you running into? I can better diagnose your problem if you give me a bit more information.
If you follow the official Microsoft guide for ASP.NET web applications using B2C you can easily achieve B2C login. The guide comes with an accompanying Github sample that you can clone in order to achieve what you are looking for. Here you can also check out the B2C token reference page to see the contents of each type of token in B2C. You can use ID tokens to identify users in your app.
As for your second question, you can migrate data from your local database to Azure AD B2C but just cannot use Azure SQL. See this migration guide to learn how to do this using Azure AD Graph API.
I'm wondering if anybody can share some practical experience here:
I have a client making extensive use of the OKTA identity solution for single sign-on to various cloud/web applications (both internal and external) as well as extensive provisioning options (creating users in SaaS apps, adding them to groups etc.). They also use OKTA in combination with Radius to provide MfA for Linux users setting up VPN's and for shell login on Linux (dev-ops) servers. Their sign-in to O365 / D365 is at this stage also federated via OKTA, performing SSO into on premise Active Directory.
When they implemented OKTA 2 years ago Azure AD was not yet mature enough in this area but my feeling is that it since has become mature enough to replace OKTA. We want to make use of AAD Premium for SSO and provision, the Microsoft Company Portal and Azure App Proxy for reverse proxy if internal web applications. We also want to use the NPS plugin for AAD MfA for providing MfA during Radius login requests.
In other swords we will need to make use of just about every tool in the Azure AD box to meet the various requirements imposed due to migration from OKTA (current implementation has unfortunately become a "requirement").
Does anybody have experience with migration from OKTA to AAD?
Are their any experiences with extensive use of provisioning options for SaaS apps in AAD?
Any advice, tips, experiences are welcome and much appreciated.